Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Window Server 2003(dc) migration to Window Server 2008


  • Please log in to reply
10 replies to this topic

#1
Shahid99

Shahid99
  • Member
  • 9 posts
  • Joined 07-August 12
  • OS:2003 x86
  • Country: Country Flag
Hello All,


How are you? I need your help on this migration im doing on my Domain Controller which is Windows Server 2003 to Windows Server 2008...


Well actually, i did the migration by following these steps:

http://computech.in/...2008-r2-domain/


however, when i got to the last step all i didn't demote the DC, so few hrs passed...all users couldn't access the network drives and once they restarted their computer they couldn't log in:

here is the prompt they were receiving:

"The local policy of this system does not permit you to logon"


The new server became the global catalog so therefore everything got messed up(all because i didnt demote the DC(WINDOW SERVER 2003).

I removed the second domain contoller, took off active directory and deleted the server from sites and trust.

Now, i just reinstalled the new server again(new machine 2k8) if i want to follow the whole procedure again will i be able to rerun


adprep32 /forestprep? how can i rerun adprep? please help me out!!!

Also, i didnt change the tcp ip address from old dc to new dc....(new dc 2k8 was just added to the domain with a different ip(i thought once i am done with eveyrhting i will bring down the main dc(2k3) and assign that address to new dc(2k8)



Thank You!!!


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,814 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

however, when i got to the last step all i didn't demote the DC, so few hrs passed...all users couldn't access the network drives and once they restarted their computer they couldn't log in:


I don't think it is required for you to demote the old DC. If it has no roles it can just sit there. Last time I did a migration I did this... however I left a role on the old DC because I got an error xfer it... and also put DNS on there. BUT my question is this (since you aren't too clear on this):

Were your users able to work properly during those few hours after the promo, but before they got the error?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#3
Shahid99

Shahid99
  • Member
  • 9 posts
  • Joined 07-August 12
  • OS:2003 x86
  • Country: Country Flag
Yes users were able to work properly during those few hours after the promo...but than all of a sudden this happen....


right now im trying to figure out how i can redo the whole process?

1. I can't run adprep32 /forestprep

this is the output:

C:\Documents and Settings\Administrator.VAKIFBANK-DC>cd \win2k8\support\adprep

C:\win2k8\support\adprep>adprep32 /forestprep

ADPREP WARNING:

Before running adprep, all Windows 2000 Active Directory Domain Controllers in t
he forest should be upgraded to Windows 2000 Service Pack 4 (SP4) or later.

[User Action]
If ALL your existing Windows 2000 Active Directory Domain Controllers meet this
requirement, type C and then press ENTER to continue. Otherwise, type any other
key and press ENTER to quit.


c
Forest-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.



C:\win2k8\support\adprep>adprep32 /domainprep
Running domainprep ...


Domain-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.



C:\win2k8\support\adprep>adprep32 /domainprep /gpprep
Running domainprep ...


Domain-wide information has already been updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.


No Group Policy Object (GPO) updates needed, or GPO information has already been
updated.
[Status/Consequence]
Adprep did not attempt to rerun this operation.



Oh fyi:
Schema Version IS (47)
System Schema Version (31)

#4
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,814 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

C:\win2k8\


Are you using a custom install?

Also, what is the current Domain Functional Level?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#5
Shahid99

Shahid99
  • Member
  • 9 posts
  • Joined 07-August 12
  • OS:2003 x86
  • Country: Country Flag
Yes, my current domain controller don't have CD drive so therefore i downloaded the ISO for win 2008 r 2 and than extract the content to C: Local drive\ win2k8(i created this folder) extract everything in here......so now the directory is "C:\win2k8\support\adprep"

Current domain functional level is: Windows Server 2003

#6
Shahid99

Shahid99
  • Member
  • 9 posts
  • Joined 07-August 12
  • OS:2003 x86
  • Country: Country Flag
should i go ahead and do dcpromo on window server 2008(new machine) and add a existing domain ? :realmad: ;) ;) :no:

#7
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06
Most likely when your first tried, the policies didn't replicate properly as the default gpo from 2008 are a lot more restrictive than the 2003 ones. Before stopping the 2003 or transfering the roles or even allow it to authenticate users (using active directory sites and services), you need to be sure that everything is properly replicated on the new DC (login scripts/gpo = the whole sysvol). Also check that the 2008 DC policies after it is a computer member are set like the windows 2003 DC.

#8
Shahid99

Shahid99
  • Member
  • 9 posts
  • Joined 07-August 12
  • OS:2003 x86
  • Country: Country Flag
Allen,

Right now the new server (windows server 2008 r2) has been added to the domain (member server)

so i can see the domain if i go to Administrative tools\Active Directory Users and Computer

i can see policies,users,workstations,authentications and etc....

NOTE: I DIDN'T ADD THE 2008 R2 server to an existing server by (dcpromo) yet!!!


Im so lost!! please kindly tell me briefly the next step for this migration.....

Once again: Before adprep32 ran successfully, but due to problems which i stated above i had to reinstall the windows server 2008 r2 from scratch.

I deleted active directory, dns zone, cname and etc etc




right now on Windows Server 2003 (Domain Controller)

schema version REG_DWORD 0x000002f (47)

When i ran metadata cleanup this is the output:

metadata cleanup: select operation target
select operation target: list domains
Found 1 domain(s)
0 - DC=exampleny,DC=com ("exampleny" (up there i see my old domain controller)
select operation target: list servers in site
No active site list
.............................................................
i already removed DNs zone, Zone properties and also for AD sites and services ( i only see my domain controller there)
Now, pls, tell me what my next step should be(just to be on the safe side)
i appreciate it !

#9
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06
I would do the dcpromo on Windows 2008 R2 and set it as a DC without any roles and not GC just add dns server integration or do it manually (before if done manually) and create a dedicated site for the 2008 DC disallow user authentication.
Then i would check if everything is still working properly for users and check if AD replications are working (should take one hour). Then check the policies on the 2008 DC and compare them with the windows 2003 DC as there might be a gap as policies models aren't stored in sysvol anymore.
Next step would be checking if the 2008 DC allow clients to logon as usual (still using active directory sites and services and use a small subnet the test clients).
Then set it as GC and then transfer roles with ntdsutil (of course after each step check if there are side effects).
The usual problems are the policies which you might need to recreate/reset entirely on the windows 2008R2 depending on the settings who were on the windows 2003 DC as compatibility isn't always there (and that was most like the problem you already encountered).

#10
Shahid99

Shahid99
  • Member
  • 9 posts
  • Joined 07-August 12
  • OS:2003 x86
  • Country: Country Flag
Alright Allen i will try those steps in the meantime , when you say disallow user authentication what do you mean by that? p

#11
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
  • Joined 13-January 06
If you set the 2008 DC in active directory site and services in another subnet by putting it in another site and setting this site to only allow authentication of client of a subnet you don't use for production or don't use at all then no client should be able to use the 2008 DC.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN